Merge pull request #109 from CybercentreCanada/strip_powershell_cmd_q…

…uotes Stripping quotes in get_pwsh_cmd
CybercentreCanada · Oct 16, 2024 · f0e5f9a · f0e5f9a
2 parents ab14a41 + 8fac1ca
commit f0e5f9a
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/src/multidecoder/decoders/shell.py b/src/multidecoder/decoders/shell.py
@@ -181,4 +181,10 @@ def get_cmd_command(cmd: bytes) -> bytes:
 
 def get_powershell_command(powershell: bytes) -> bytes:
     match = re.match(POWERSHELL_ARGS_RE, powershell)
-    return powershell[match.end() :] if match else powershell
+    if not match:
+        return powershell
+    command = powershell[match.end() :]
+    # Strip if the command starts and end with a double quote (34) or single quote (39)
+    if len(command) > 1 and command[0] in [34, 39] and command[0] == command[-1]:
+        command = command[1:-1]
+    return command
diff --git a/tests/test_decoders/test_shell.py b/tests/test_decoders/test_shell.py
@@ -343,3 +343,12 @@ def test_get_powershell_command_exe():
 
 def test_get_powershell_command_args():
     assert get_powershell_command(b"powershell -arg1 -arg2 command") == b"command"
+
+
+def test_get_powershell_command_quotes():
+    assert (
+        get_powershell_command(
+            b"powershell.exe -c \"&{'p8ArwZsj8ZO+Zy/dHPeI';$BxQ='<base64content>';$KOKN='<base64content>';$KOKN=$KOKN+$BxQ;$GBUus=$KOKN;$xCyRLo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($GBUus));$GBUus=$xCyRLo;iex($GBUus)}\""
+        )
+        == b"&{'p8ArwZsj8ZO+Zy/dHPeI';$BxQ='<base64content>';$KOKN='<base64content>';$KOKN=$KOKN+$BxQ;$GBUus=$KOKN;$xCyRLo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($GBUus));$GBUus=$xCyRLo;iex($GBUus)}"
+    )